Log In

VMware releases patches for ESX code leak

VMware on Thursday released security patches for products it says could face heightened risk due to last month's ESX server hypervisor source code leak.

The patches address five "critical security issues" in VMware's Workstation, Player, ESXi and ESX products, the vendor said in a security bulletin. All five vulnerabilities could enable an attacker to execute code on the host; two require root or administrator level permissions and two do not.

"In light of the current circumstances, we have accelerated our most recent security patches and applied them to all affected currently supported products," VMware said in a separate blog post.

One of the vulnerabilities, which affects ESX's handling of Network File System (NFS) traffic, could enable a user with access to the network to execute code on the ESXi/ESX host without authentication, VMware said in the bulletin.

"By applying the combination of the most current product updates and the relevant security patches, we believe our customer environments will be best protected," VMware said in the blog post.

"Hardcore Charlie," the LulzSec-affiliated hacker who posted the VMware ESX source code online on April 8, has vowed to publish 300 MB of the pilfered ESX source code on May 5, so VMware is apparently trying to get out in front of security issues that could arise from such a disclosure.

VMware has been relatively unscathed from a security standpoint and does not have to deal with the flood of security exploits that companies such as Microsoft and Oracle deal with regularly. So far, security experts are impressed with VMware's response to the ESX issue.

"It does seem that this disclosure has rattled VMware a bit. However, their rush to patch is a good sign," said Andrew Plato, president of Anitian Enterprise Security, security solution provider. "They are clearly taking this seriously and communicating with their customers."

"I like the way VMware is handling this," said Robert Germain, vice president of engineering at solution provider Hub Technical Services. "They're being very open and telling customers to make sure they're up to date with products and patches."

All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.Your use of this website
constitutes acceptance of nextmedia's Privacy Policy and
Terms & Conditions.